What You Need to Know About Windows Server 2003 R2 Network Access Protection

Editor's Note: After this article was published, Microsoft announced that the NAP feature, originally scheduled for Windows Server 2003 R2, is now delayed until Longhorn Server so that Microsoft can rebuild the product to interoperate with Cisco System's switch-based security and health assurance technology, called Network Admissions Control (NAC). For more information, see Paul Thurrott's Web exclusive article "Microsoft Updates Windows Server Roadmap: What Happened to R2?," InstantDoc ID 44294.

Now that Microsoft has revealed its plans for interim Windows Server releases to follow each major Windows Server release by 2 years, the company has started filling in the details about its first interim Windows Server release, currently known as Windows 2003 Release 2 (code-named R2). One of the more intriguing security-oriented features that will grace this next minor update to Windows 2003 is Network Access Protection (NAP), a client-quarantine feature that will prevent clients from accessing a network until they prove compliance with company computer policy. Here's what you need to know about R2 NAP.

What Is It? NAP addresses a huge concern in today's enterprises. Remote clients—typically notebook computers that might be disconnected from the network for extended periods of time—are currently authenticated only for user credentials, not for compliance with an organization's computer policies. Consequently, an out-of-date or potentially compromised computer could authenticate to your internal network and release viruses or other malicious software (malware) to run rampant.

With a quarantine solution in place, a client that authenticates against the domain would need to do more than validate the user's credentials. The authentication requirements depend on your corporate policy: You might require that the client OS includes a certain service pack or set of hotfixes, that the client's antivirus software definitions are up-to-date, or that certain security controls are in place. If a client didn't meet these requirements, the quarantine application wouldn't let the client connect to the internal network but would place it in quarantine until the appropriate updates were applied. A full-featured quarantine solution would automatically apply the updates to the quarantined client.

Windows 2003 Quarantine Functionality Windows 2003 has no integrated, full-featured quarantine functionality. However, Windows 2003 includes the basics of NAP through a little-used feature called Network Access Quarantine Control. This feature places connected clients that don't comply with corporate computer policies in a special quarantine mode that limits their access to the private network. But Network Access Quarantine Control lacks automation functionality. For example, you must write scripts to determine whether the client meets the network's policies, install the updates on clients that don't meet them, and grant the client remote access to the private network.

If that sounds like a lot of work, that's because it is—which is why so few enterprises have rolled out Network Access Quarantine Control solutions. The recently released Microsoft Internet Security and Acceleration (ISA) Server 2004 can make the quarantine process somewhat easier. But not until R2 ships will Microsoft deliver its first full-featured NAP quarantine solution.

How R2 Will Improve Security In R2, NAP will perform three basic services. First, NAP will determine whether remote clients comply with your enterprise's security policies. Second, it will place noncompliant machines in a restricted, quarantined area of the network, where they will have only guest access to the network. Finally, NAP will provide administrators with simple GUI tools to help bring noncompliant machines into compliance.

In typical Microsoft fashion, NAP isn't a standalone feature. Microsoft is working with dozens of partners who will extend NAP to work with their own products. So, companies such as BindView, Citrix, and HP will be creating NAP−savvy products that will integrate as well with R2 as Microsoft's own products (e.g., Systems Management Server—SMS) will. Hence, NAP likely will work with your third-party VPN solution or antivirus product.

Recommendations NAP is an exciting and much-needed development—one that you should monitor closely. The feature will run only on R2 servers but will work in any standard Microsoft infrastructure, regardless of the Windows Server version your domain controllers (DCs) use. Given the security climate today, this type of functionality will be crucial to businesses of all sizes. As far as I'm concerned, it can't come soon enough. Indeed, if you're concerned about the amount of time it will take to get R2, you might want to look around for a similar solution. One technology to watch is VMware Assured Computing Environment (ACE), a virtual machine (VM)−based solution that provides contractors, telecommuters, and other mobile workers with secure environments through which they can connect to network resources.